Notes from DEVOPS 2020 Online conference

DevOps 2020 Online was held 21.4. and 22.4.2020 and the first day talked about Cloud & Transformation and the second was 5G DevOps Seminar. Here are some quick notes from the talks I found the most interesting. The talk recordings are available from the conference site.

DevOps 2020

How to improve your DevOps capability in 2020

Marko Klemetti from Eficode presented three actions you can take to improve your DevOps capabilities. It looked at current DevOps trends against organizations on different maturity levels and gave ideas how you can improve tooling, culture and processes.

Build the production pipeline around your business targets.

Automation build bridges until you have self-organized teams.

Adopt a DevOps platform. Aim for self-service.

Invest in a Design System and testing in natural language:

brings people in organization together.

Testing is the common language between stakeholders.

You can have discussion over the test cases: automated quality assurance from stakeholders.

Validate business hypothesis in production:

Enable canary releasing to lower the deployment barrier.

You cannot improve what you don't see. Make your pipeline data-driven.

Practical DevSecOps Using Security Instrumentation

Jeff Williams from Contrast Security talked about how we need a new approach to security that doesn't slow development or hamper innovation. He shows how you can ensure software security from the "inside out" by leveraging the power of software instrumentation. It establishes a safe and powerful way for development, security, and operations teams to collaborate.

DevSecOps is about changing security, not DevOps

What is security instrumentation?

Security testing with instrumentation:

Add matchers to catch potentially vulnerable code and report rule violations when it happens, like using unparameterized SQL. Similar what static code analysis does.

Making security observable with instrumentation:

Check for e.g. access control for methods

Preventing exploits with instrumentation:

Check that command isn't run outside of scope

The examples were written with Java but the security checks should be implementable also on other platforms.

Modern security (inside - out)

Their AppSec platform's Community Edition is free to try out but only for Java and .Net.

Open Culture: The key to unlocking DevOps success

Chris Baynham-Hughes from RedHat talked how blockers for DevOps in most organisations are people and process based rather than a lack of tooling. Addressing issues relating to culture and practice are key to breaking down organisational silos, shortening feedback loops and reducing the time to market.

Scaling DevSecOps to integrate security tooling for 100+ deployments per day

Rasmus Selsmark from Unity talked how Unity integrates security tooling better into the deployment process. Best practices for securing your deployments involve running security scanning tools as early as possible during your CI/CD pipeline, not as an isolated step after service has been deployed to production. The session covered best security practices for securing build and deployment pipeline with examples and tooling.

Standardized CI/CD pipeline, used to deploy 200+ microservices to Kubernetes.

Shared CI/CD pipeline enables DevSecOps

Kubernetes security best practices

DevSecOps workflow: Early feedback to devs <-----> Collect metrics for security team

Standarized CI/CD pipeline allows to introduce security features across teams and microservices

Data-driven DevOps: The Key to Improving Speed & Scale

Kohsuke Kawaguchi, Creator of Jenkins, from Launchable talked how some organizations are more successful with DevOps than others and where those differences seem to be made. One is around data (insight) and another is around how they leverage "economy of scale".

Cost/time trade-off:

CFO: why do we spend so much on AWS?

Visibility into cost at project level

Make developers aware of the trade-off they are making: Build time vs. Annual cost

Moving 100,000 engineers to DevOps on the public cloud

Sam Guckenheimer from Microsoft talked how Microsoft transformed to using Azure DevOps and GitHub with a globally distributed 24x7x365 service on the public cloud. The session covered organizational and engineering practices in five areas.

Customer Obsession

Connect our customers directly and measure:

Direct feedback in product, visible on public site, and captured in backlog

Develop personal Connection and cadence

For top customers, have a "Champ" which maintain: Regular personal contact, long-term relationship, understanding customer desires

Definition of done: live in production, collecting telemetry that examines the hypothesis which motivated the deployment